what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpTrafficA 2.3 Cross Site Scripting

phpTrafficA 2.3 Cross Site Scripting
Posted Apr 8, 2015
Authored by Daniel Geerts

phpTrafficA versions up to 2.3 suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2015-2926
SHA-256 | 6001df596ab870db82b21681164b68c5ffaf1a407031673a71786b891c0a4bde

phpTrafficA 2.3 Cross Site Scripting

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Product: phpTrafficA
Product page: http://soft.zoneo.net/phpTrafficA/
Affected versions: Up to and including 2.3 (latest as of writing).

Description:
The user agent string provided by the browser is not sanitized nor
escaped when handled. This string is then outputting into HTML code on
the "Latest visitors > Details" page, leading to HTML injection that can
be abused to perform XSS. For example, the following user agent will
cause a JavaScript dialogbox to pop up as soon as the page is visited:
"><script>alert();</script>

This page can be hidden from the public, in which case only admins can
visit it. However, the script still executes when they do, which could
enable a malicious user agent to steal the phpTrafficA cookie (no
expiry) or other admin credentials.


Proposed fix:
Escape the HTML characters with htmlspecialchars before outputting the
user agent string.

In: Php/stats/statsRecent.inc.php

Line 304:
echo "<tr class=\"data av $even $clrobots $clreturn\"><td
nowrap>$end</td><td>&nbsp;$dur</td><td
align=\"center\">&nbsp;".format_float($hits)."&nbsp;</td><td>&nbsp;<a
href=\"./index.php?mode=stats&sid=$sid&show=clickstream&lang=$lang&ip=$ip\"
title=\"".$strings['Moreinfovisitor']."\"
class=\"basic\">$ipText</a>&nbsp;</td><td
align=\"center\">&nbsp;".format_float($visits)."&nbsp;</td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n";
becomes:
echo "<tr class=\"data av $even $clrobots $clreturn\"><td
nowrap>$end</td><td>&nbsp;$dur</td><td
align=\"center\">&nbsp;".format_float($hits)."&nbsp;</td><td>&nbsp;<a
href=\"./index.php?mode=stats&sid=$sid&show=clickstream&lang=$lang&ip=$ip\"
title=\"".$strings['Moreinfovisitor']."\"
class=\"basic\">$ipText</a>&nbsp;</td><td
align=\"center\">&nbsp;".format_float($visits)."&nbsp;</td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n";


Line 369:
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip
($whoislink$baniplink)<br>$host<br>$labelTxt<table
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td
valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":
";
becomes:
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip
($whoislink$baniplink)<br>$host<br>$labelTxt<table
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td
valign=\"top\" colspan=\"2\">".$strings['Agent'].":
".htmlspecialchars($thisagent)."<br><table
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":
";



Best regards,
Daniel Geerts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5
yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow
bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk
KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj
N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe
Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv
eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa
9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO
ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c
RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD
7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF
+wxMYqlgbfJGakc4s5RO
=wCVy
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close